Docs Home → Launch & Manage MongoDB → MongoDB Atlas
Storage Engine and Cloud Backup Encryption
On this page
Atlas encrypts all snapshots using your cloud provider's standard storage encryption method, ensuring the security of cluster data at rest. Your cloud provider manages the encryption keys. For projects and clusters using Encryption at Rest using Customer Key Management, Atlas applies an additional layer of encryption to your snapshots using the Key Management Service (KMS) provider configured for the cluster.
To view the key used to encrypt a snapshot:
In Atlas, go to the Database Deployments page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Database Deployments page is not already displayed, click Database in the sidebar.
Go to the Backup page for your cluster.
Click your cluster's name.
Click the Backup tab.
If the cluster has no Backup tab, then Atlas backups are disabled for that database deployment and no snapshots are available. You can enable backups when scaling the cluster.
Click Snapshots.
Note the Encryption Key ID.
Note the Encryption Key ID for each snapshot in the cluster. Atlas lists the Key Identifier used to encrypt the snapshot. Unencrypted snapshots display Not enabled.
Important
Atlas requires access to the encryption key associated to the snapshot's Encryption Key ID to successfully restore that snapshot.
Before deleting an Encryption Key ID used with Atlas Encryption at Rest using your Key Management, check every backup-enabled cluster in the project for any snapshots still using that Encryption Key ID. Once you delete an encryption key, all snapshots encrypted with that key become inaccessible and unrecoverable.
Atlas automatically deletes backups in accordance to the Backup Scheduling, Retention, and On-Demand Snapshots. Once Atlas deletes all snapshots depending on a given Encryption Key ID, you can delete the key safely.
If disabling a Encryption Key ID, you must re-enable the key before restoring a snapshot encrypted with that key.
For complete documentation on configuring Encryption at Rest using your Key Management for an Atlas project, see Encryption at Rest using Customer Key Management. You can then either deploy a new cluster or enable an existing cluster with Encryption at Rest using your Key Management.